Vulnerability in PGP / GPG and S / MIME encryption of emails: Apple Mail, Outlook and Co. affected

This is a security breach known today PGP / GPG and S / MIME encryption of e-mail concerns. Various authorities and security organizations have already spoken. We tell you what it is about.

Security researchers discover security holes in email encryption

Security researchers have discovered a vulnerability in the PGP / GPG and S / MIME encryption of emails. Both Apple Mail, Microsoft Outlook and Mozilla Thunderbirds are affected.

It seems that the attack on the implementation of the encryption is carried out in the mail client and not itself via the encryption. But what is in the details behind the attack, the security researchers announced tomorrow, Tuesday. Until then it is recommended to deactivate appropriate encryption plug-ins. For example, how to disable PGP in Apple Mail explained The EFF (Electronic Terry Foundation) Also already sent mails, should be able to be read out in plain text.

The Federal Office for Security in Information Technology writes

Security researchers from the M√ľnster University of Applied Sciences, the Ruhr University Bochum and the University of Leuven (Belgium) have found serious weaknesses in the widely used OpenPGP and S / MIME e-mail encryption standards and informed the Federal Office for Information Security (BSI). Attackers can thus manipulate encrypted emails in such a way that the content of the message is sent to them in clear text after being decrypted by the recipient. However, according to the BSI, these e-mail encryption standards can still be used safely if they are implemented correctly and configured securely.

To exploit the vulnerabilities, an attacker must have access to the recipient’s transport path, mail server, or e-mail inbox. In addition, active content must be allowed on the receiver side, such as the execution of html code and in particular the reloading of external content. This is currently the default, especially for mobile devices. E-mail client manufacturers have announced or provided updates on their products. Regardless of specific security updates, secure configuration also protects.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: